Zitat von Bernhard Schmidt <be...@birkenwald.de>:
Am 20.12.2011 10:24, schrieb lst_ho...@kwsoft.de: Hello,Any idea how to allow all certificates issued by specific Sub-CAs, without trusting everyone?As far as i understand you have to list the complete chain but only your sub-CA to get it working. So create a smtpd_tls_CAfile with the Telekom root and your sub-CA and nothing else. This would allow relaying for any certificate your sub-CA or the Telekom root CA has issued, but not for certificates issued by any sub-CA of the Telekom beside yours. Be aware that you should not do this on a public facing port 25.Unfortunately no-go, the full chain needs to be in smtpd_tls_CApath, otherwise I get the "unable to get issuer certificate". And doing that would blow the purpose, since we would be an open relay for everyone having a DTAG certificate.
To my knowledge you would *only* be an open relay for certificates issued directly by the Telekom root-CA and for certificates issued by your sub-CA, not for certificates issued by other Telekom sub-CAs not included in the file. Not sure if the Telekom root-CA is used to issue certificates anyway.
Viktor will correct me if i'm wrong ;-) Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
